In late February, the SEC approved what it labeled “Guidance on Public Company Cybersecurity Disclosures.” And, sure enough, about three-quarters of its 24 pages focus on the various categories and locations of cybersecurity risk and incident disclosure obligations, as well as materiality determinations. Because the SEC’s much-anticipated guidance appeared right in the thick of calendar-year companies’ Form 10-K and proxy statement preparations, much attention has been paid to its disclosure aspects. But as the dust settles on Form 10-K and proxy statement filings, don’t lose sight of the SEC’s important governance guidance.
Disclosure Controls and Procedures
The SEC notes that cybersecurity risk management policies and procedures are “key elements of enterprise-wide risk management,” including those aspects related to securities law compliance.
“We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure.”
This means that companies should have sufficient procedures in place to ensure that relevant information about cybersecurity risks and actual events is processed and reported up the ladder on a thorough and timely basis. Such controls and procedures should:
“… enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communication between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.”
In that regard, the SEC pointedly notes that CEOs and CFOs must certify quarterly as to the effectiveness of the company’s disclosure controls and procedures. Hmmm?
Insider Trading Policies
The guidance also highlights the fact that insiders may not trade while in possession of material nonpublic information regarding cybersecurity risks and incidents. Therefore, the SEC encourages companies to “consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents” (emphasis added).
In that regard, the guidance suggests that companies should consider the need for restrictions on trading by insiders in light of cybersecurity risks. For example, “… companies would be well served by considering how to avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”
Board Cybersecurity Risk Oversight
Finally, consider the implications of the SEC’s suggestion to disclose in the board risk oversight section of the proxy statement how the board engages in cybersecurity risk oversight to the extent that such risks are material to the company. (For those companies that include cybersecurity risk factors in their Forms 10-K, which is almost everyone, the materiality question has likely already been answered.)
In order to provide the kind of proxy statement disclosure you would be proud to see in print, the board must, in fact, provide appropriate cybersecurity risk oversight. In light of this guidance, it would be timely to revisit how your board’s cybersecurity oversight actually works and whether it would stand up to scrutiny if it had to.